I use Private Internet Access as my VPN service. Before I had a 440, I was using another vendor and I would place OpenWRT behind it to host VPN services and just run them through my main firewall.
Now that I have a 440, I would like to know if it’s possible to use my VPN service directly on the 440. Otherwise, I guess I go back to having OpenWRT behind the 440 again to run the VPN service through it.
Thoughts?
PA does not support OpenVPN or Wireguard etc, so you will need something behind the PA. I do similar with a 2nd gateway on my LAN for anything to route out the VPN, the 2nd gateway is running on PfSense.
Not sure if you mean an external IPSec service or a VPN connection from elsewhere to your home, but both are supported. IPSec guides are the ones you should look for in the first case, Global Protect Portal + Gateway guides are for the remote access option.
PIA VPN, so we’re just talking about some commercial-grade VPN (such as NordVPN). And you want to configure the 440 as a client. First of all, there are zero benefits to using commercial-grade VPN other than location spoofing. Obviously, enterprise-grade firewalls are never going to support that because it’s pointless. You do see this on routers such as Synology, but again that’s a consumer-grade router.
You can put such a router in front of the PA-440, but what’s the point? But if you’re planning to run OpenWRT behind the PA-440, then I’m lost.
Yea are you trying to VPN into your LAN? So a VPN tunnel from a client out on the internet to the PA-440?
Global protect would be best for this
Or are you trying to do something else?
Global protect is the way to go great easy to setup
Why don’t you just setup IPSec to a Linux host on some cloud provider? Oracle Cloud has a pretty generous free tier.
Like others have said, Palo doesent support it and you will need to do it behind the palo and just allow it through. I assume what you are wanting to do is to have all traffic or subset of traffic leave over VPN?
I use it for making sure all my outbound traffic is encrypted to a location spoofed endpoint. Why? I’ve read plenty of stories about ISP’s snooping customers traffic. Also, I get on IRC a lot and would rather not hand-over an IP there as it’s a good place to attract attention.
It would appear a number of people do this in the replies above. But you’re saying zero benefits and no longer worth it? I’d like to hear more.
No, not trying to VPN into my LAN. I don’t allow anything to come in. Just securing all my outbound traffic from my LAN.
I’m not sure why this has been voted down. We use it without issue for 2.5k people.
Yeah, that’s pretty much it.
Not necessarily. Some VPN providers provide an option for IPSEC. So you should be able to create a tunnel from PA device to the provider. I would think you could route certain sites over this tunnel then all other traffic out the normal wan.
edit: pretty sure you don’t want ALL traffic to go through the VPN, but its possible I would think.
So you trust a random ISP somewhere else? Your ISP isn’t snooping shit, as soon as your traffic hits the internet it doesent matter where that happens. PIA and the like are a scam for 99% of people. You’re paying to slow down your own internet for zero added protection.
It would appear a number of people do this in the replies above. But you’re saying zero benefits and no longer worth it? I’d like to hear more.
GlobalProtect and IPSec, yes. But not for the reasons you think.
A VPN wouldn’t “secure” your outbound traffic. It’s a secure way to connect “TO” something. But if your talking about just browsing the internet, then a VPN won’t do anything for you.
Please tell me about that 1% where it’s not a scam for people.
I guess I’m not getting something here. If I browse/connect to a website, then:
- my location is spoofed to the websites logs.
- my outbound request is secure only till the exit point.
- and the return traffic is secure from the exit point back to me.
Is that not correct?
Typically only if you live in countries with restrictive blocking and filtering for the whole nation.
Yes I think you understand the traffic flow.
The way your using “secure” is debatable. In essence, your just changing the public IP, (also the geo location), that you appear to be sourcing traffic from. Which it sounds like you get that. But your still routing your traffic through a 3rd party, which is the vpn provider, so your shifting your “trust” around.
You are just rerouting the traffic. You can’t quantify if your traffic leaving the VPN provider is more secure then the traffic leaving your house. Sure, the traffic from your house TO the VPN provider is in an encrypted tunnel. But who cares- the traffic is still ultimately destined for random web servers. You won’t be able to get around that logistic.
The real advantage of using popular marketed “VPNs” is web servers won’t know your homes public IP. If that’s of value to you then you can accomplish that with a VPN service. This still all assumes you trust your VPN provider.